Our Blog | ActZero

Why You Need Incident Response Fire Drills | ActZero

Written by Adam Winston | Nov 1, 2021 4:00:00 AM

Practice, practice, practice – practice is key to improvement.

If we want to get better at a sport, an instrument, or a skill, we need to practice. In our schools and our offices, we practice fire drills from time to time so that, should the worst happen, we’ll know what to do to keep ourselves safe.

And just like in case of fire, you need to practice incident response (IR) scenarios, so you know what to do in the event of an active breach. Running IR drills and having a fully prepared response will help you take an offensive position against attackers.

Here’s our guideline for planning out your next IR fire drill.

Address any false sense of preparation 

Simply having IR policies created by an IT department does not mean you’re prepared to react effectively to a breach. These plans describe a workflow that an IT department hopes others will follow in an emergency. Such plans are designed like software—optimized for time, assuming effective communications will be in place, with people (and power) available to deal with urgent issues.

In practice, however, that’s not how things usually happen. So don’t let the mere existence of a plan give you a false sense of preparedness.

Work step-by-step through your IR plan

While you need an IR plan, it’s only by practicing the steps again and again while racing against the clock that you will know if you’re actually prepared or not. It’s really in the continuous practice that you create and define a workable plan.

Building this kind of plan means involving everyone—including legal, management, compliance, end user, executives, and not just IT—so that the plan takes into account people’s various skills and competencies.

Think of it like putting together a play. Instead of designing procedures ahead of time and assigning rigid roles, you need to bring people into the room to help design it. Study the team, rehearse them, watch them use their skill sets, see where their competencies lie, see how much time they need to complete tasks. This is necessary for you to understand how the plan will execute in the real world.

Management and the whole team have put their faith in you and have expectations for how your plan will help protect them and the company when there’s a real-world threat. This kind of rehearsal justifies their trust and demonstrates to management and the team that in a crisis you know what to do.

Anticipate the strategies and tactics of attackers

Part of your practice and preparation needs to take into account that your adversary is devious and underhanded.

Hackers won’t always launch an attack during business hours, for example. They won’t wait for you to be fully staffed for the day. Rather, they will purposely attack you when you are least prepared and the most vulnerable.

They’ll wait until no one is around. They’ll attack in the middle of the night, or on a weekend, or during a holiday. They do this because they know most organizations don’t have IR scenarios to cover these times or situations.

Make sure you’re not one of those companies.

Thinking like your enemy and anticipating how they might attack you is revealing and is the only way to get an honest assessment of your level of preparedness. A single attack can destroy your organization in minutes. Focus on responding and containing attacks in less time and minimizing the amount of time your response takes. Have a concrete goal to work towards: don’t rest until you get every IR response down to under 15 minutes.

Share knowledge and put it into practice

The truth is that very few people know how to initiate communication during a breach. They don’t know how to ask the right questions, seek advice, or find the experts when the network and the system is down.

They don’t know because no one bothered to tell them how.

Anyone—and I mean anyone—who detects the attack needs to be able to initiate the plan. They need to know where everything and everyone is and how to solve the issue. They need to know where to turn to answer questions like “Should we turn all the laptops off?” “Do we kill the power?” “What’s going to happen when we turn the power back on?”

Make certain everyone on your team has the ability to communicate the problem and get answers. They need to know what happened, when it happened, and how to respond—all with that 15-minute timer running.

How ActZero’s Incident Response Guide can help

No one on your team should ever be in a position of having no idea what to do during a security incident. While you can work with outside companies to improve your security posture, fundamentally these are events that you have to understand yourselves.

Documenting your process, developing an IR plan, and practicing it over and over gives you an objective record and assessment of your skillset in a breach situation. It will let your IT department figure out where their competencies begin and end.

This is important because, despite strong IT competencies, there are some attacks that you simply won’t be able to deal with or reverse yourselves. You may lack important tools or experience to deal with particularly sophisticated attacks. It can be a humbling realization. Better to know in advance the circumstances under which you need to call for help.

As for the IR plan itself, sometimes it’s worthwhile to outsource the most difficult and time-consuming components of IR to a security platform like ActZero with MDR capabilities that can remove attacks in progress, or in milliseconds, not minutes. ActZero can also provide additional coaching where needed, which will help give you clarity, and determine and justify additional security expenses that might be needed. To see our service in action, request a demo here. 

To assist you in your preparation process, we’ve prepared the ActZero Incident Response Guide. It’s a step-by-step list of actions for IT teams to take in the event of potential chaos – and serves as a useful template for your own IR. To start preparing, download the guide here